Here is what I am trying to accomplish. There are two existing wired networks, Network1 and Network2. As well as my own network, which we'll call… Network3

Network1 is configured as 172.24.24.0/24
Network2 is configured as 172.24.201.0/24
Network3 is configured as 10.255.254.0/24

There are several other networks available via Network1's gateway (172.24.24.254) as well…

172.24.23.0/24
172.24.22.0/24
192.168.1.0/24
You get the idea.. Anyhow, let's continue

Network2 has internet access

Currently I have a Windows RRAS box that serves as my router which allows me to access all of the machines on Network1 and Network2, as well as the internet via Network2's connection. I allow a very specific set of ports in from Network1 to 1 host on Network3; but we can get into that later. I want to get rid of the RRAS box and replace it with a WRT54GL running Tomato, which from everything I've read should be possible… Just not possible for ME to pull off apparently.

I began by plugging the WAN port into Network2, and my laptop into switch port 1
I then flashed my WRT54GL v1.1 with tomato-WRT54G_WRT54GL_1.28.0025Teaman-VLAN-PPTPD-VPN.bin

Of course I was then off and running with full access to Network2 out the gate. Thinking it surely won't be difficult to assign port 4 to a different VLAN and create a few routing rules, I set to work. And so begins my madness…

Of course I began my work with the GUI on the Network page (Basic->Network), and added a new Bridge (br1) and defined an IP address of 172.24.24.242 and a mask of 255.255.255.0; I left DHCP disabled as Network1 already provides those services [174.24.24.225 and higher are not part of the DHCP scope for Network1]. Heck yes, this seems easy as pie so far!

Next I accessed the VLAN page (Advanced->VLAN) and unchecked Port 1 from vlan0 (LAN) and created a new VLAN (vlan2) with VID 2 and checked the box for Port 1. I assigned the Bridge for vlan2 as my newly created bridge: br1. This step did not work properly. After rebooting the router the VLAN page indicated that Port 1 was in both vlan0 and vlan2.. I ended up solving this by setting manual_boot_nv to 1 via nvram commands.

nvram set vlan0ports="2 1 0 5*" <- to remove port "3" (physical port 1) from vlan0 so it would only be in vlan2
nvram set manual_boot_nv=1
nvram commit

After rebooting, now the GUI shows Port 1 as only being a part of vlan2. Hooray!

At this point I connected physical port 1 of the router to Network1 and verified connectivity by pinging a host on Network1 from the router, success! I also added some routing rules (Advanced->Routing) to specify which other subnets were available via Network1 and verified connectivity to them by pinging various hosts from the router. Great success!

Now, fire up a command prompt on my laptop and see if I can ping a Network1 host and… not a chance. OK, no big deal right? We just need to give br0 access to br1, right? So I head to the LAN Access page (Advanced->Lan Access) and create a rule to allow br0 to access br1 (no src/dst addresses specified), still nothing. hrm… I muck with this screen for awhile creating rules for specific hosts, or from br1 to br0 instead.. all to no avail. Well crap. I can only assume that what the GUI is actually applying to the router is incorrect (much like the VLAN port allocation).

At this point I've reset the router and only done the most basic configuration, and I'm hoping that someone here who is much smarter than I can come to my rescue! All I have done is set up br1 and vlan2 just as I described above. I have not added the static routes for the other subnets available for Network1, nor have I configured the LAN Access page. I figure if we can get routing working between br0 and br1 I can revisit the other subnets once that is done.

The router itself is able to currently access Network1 (just the 172.24.24.0/24 subnet) as well as Network2 and the internet without issue.

I solved the issue. It's obvious that the problem was I was not using NAT for outgoing packets on br1, so no hosts on Network1 had any idea how to reply to me. Once I finally realized my mistake the fix was a simple change to the POSTROUTING chain in the nat iptable.

Of course it turns out the poor little 200 mhz cpu in the wrt54gl can't sustain more than 40 mbit of routed throughput; making the whole issue a moot point anyway. At least I can apply the knowledge to a more powerful tomato-capable router.